0

I am trying to understand the behavior of a classic ASP page, to gain insight into injection vectors by looking at the IIS log and the behavior on a browser.

From the browser, I noticed that sometimes a page is never requested, depending on the spelling in the query string.

For example, https://example.com/test.asp?id=convert() opens the page and I can read the query string using Request.Querystring. Sure it's probably a sql injection vector, but my page reads it (and discards the request).

HOWEVER, https://example.com/test.asp?id=conveert() is never passed to the page. The page does not open, and a totally blank page appears on the browser.

Is the IIS Server pre-processing the query string and "rejecting" some QS's based on spelling? Both requests are in the IIS log with status 200. But only one gets to the test.asp page. Is this normal behavior on the server? The server guy tells me he is NOT filtering for "convert()".

Code example for logging querystring:

Dim conn,incomingQS
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open Application("ConnectionString")
conn.Execute("SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED")
incomingQS = Request.Querystring
incomingQS = DoubleApostrophes(incomingQS)
conn.Execute("INSERT INTO tabLog(qsDate,qsContent) VALUES (getdate(),'" & incomingQS & "')")
conn.Close
Set conn = Nothing

In the IIS log, when the querystring uses "CONVERT", there is an entry in my log. When the exact same querystring uses "CONVEERT", there is no entry, meaning the page is never referenced. Why would that be?

Thanks for any insight here.

user1693404
  • 173
  • 1
  • 12
  • 2
    Can you share a bit of the code of the ASP page, especially the bit that has the Request.Querystring and what it does with that? – Dijkgraaf Feb 11 '21 at 19:45
  • 1
    *The page does not open, and a totally blank* means it does some processing as wrong requests, or missing pages should not lead to a blank page. Share your code. – user2316116 Feb 11 '21 at 21:29
  • 1
    IIS _doesn't_ care how you spell query strings. `?conveert` probably doesn't execute the page because the code is expecting `?convert`. You'll need to post your code. – Adam Feb 12 '21 at 10:19
  • I have added the code, but I don't see how it helps. – user1693404 Feb 16 '21 at 23:13
  • Check the web.config if there are any custom modules added, which might be 'screening' requests. – Flakes Feb 18 '21 at 17:56
  • The difference between "convert" and "conveert" is the same difference between "black" and "white"... it is NOT a match and can never be considered so. – WilliamK Jun 29 '21 at 02:21

0 Answers0